From 7e3f7f1dbbad187707db8bff2a4e8cf67f893ea8 Mon Sep 17 00:00:00 2001 From: Aditya Date: Mon, 28 Oct 2024 14:43:40 +0530 Subject: [PATCH] test: Add test cases for req -cipher option Reviewed-by: Tom Cosgrove Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/25796) --- test/recipes/25-test_req.t | 52 +++++++++++++++++++++++++++++++++++++- test/test.cnf | 1 - 2 files changed, 51 insertions(+), 2 deletions(-) diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t index a0f1efdab1..72234feb2c 100644 --- a/test/recipes/25-test_req.t +++ b/test/recipes/25-test_req.t @@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/; setup("test_req"); -plan tests => 110; +plan tests => 111; require_ok(srctop_file('test', 'recipes', 'tconversion.pl')); @@ -355,6 +355,56 @@ subtest "generating SM2 certificate requests" => sub { } }; +subtest "generating certificate requests with -cipher flag" => sub { + plan tests => 6; + + diag("Testing -cipher flag with aes-256-cbc..."); + ok(run(app(["openssl", "req", + "-config", srctop_file("test", "test.cnf"), + "-newkey", "rsa:2048", + "-keyout", "privatekey-aes256.pem", + "-out", "testreq-rsa-cipher.pem", + "-utf8", + "-cipher", "aes-256-cbc", + "-passout", "pass:password"])), + "Generating request with -cipher flag (AES-256-CBC)"); + + diag("Verifying signature for aes-256-cbc..."); + ok(run(app(["openssl", "req", + "-config", srctop_file("test", "test.cnf"), + "-verify", "-in", "testreq-rsa-cipher.pem", "-noout"])), + "Verifying signature on request with -cipher (AES-256-CBC)"); + + open my $fh, '<', "privatekey-aes256.pem" or BAIL_OUT("Could not open key file: $!"); + my $first_line = <$fh>; + close $fh; + ok($first_line =~ /^-----BEGIN ENCRYPTED PRIVATE KEY-----/, + "Check that the key file is encrypted (AES-256-CBC)"); + + diag("Testing -cipher flag with aes-128-cbc..."); + ok(run(app(["openssl", "req", + "-config", srctop_file("test", "test.cnf"), + "-newkey", "rsa:2048", + "-keyout", "privatekey-aes128.pem", + "-out", "testreq-rsa-cipher-aes128.pem", + "-utf8", + "-cipher", "aes-128-cbc", + "-passout", "pass:password"])), + "Generating request with -cipher flag (AES-128-CBC)"); + + diag("Verifying signature for aes-128-cbc..."); + ok(run(app(["openssl", "req", + "-config", srctop_file("test", "test.cnf"), + "-verify", "-in", "testreq-rsa-cipher-aes128.pem", "-noout"])), + "Verifying signature on request with -cipher (AES-128-CBC)"); + + open my $fh_aes128, '<', "privatekey-aes128.pem" or BAIL_OUT("Could not open key file: $!"); + my $first_line_aes128 = <$fh_aes128>; + close $fh_aes128; + ok($first_line_aes128 =~ /^-----BEGIN ENCRYPTED PRIVATE KEY-----/, + "Check that the key file is encrypted (AES-128-CBC)"); +}; + my @openssl_args = ("req", "-config", srctop_file("apps", "openssl.cnf")); run_conversion('req conversions', diff --git a/test/test.cnf b/test/test.cnf index e0135ca206..3d1a823a7a 100644 --- a/test/test.cnf +++ b/test/test.cnf @@ -50,7 +50,6 @@ emailAddress = optional #################################################################### [ req ] distinguished_name = req_distinguished_name -encrypt_rsa_key = no # Make altreq be identical to req [ altreq ]